Hi! I'm trying to figure out why manually entering my master password is required on first run of the 1Password 8 app on Windows, and Windows Hello can only be used after initial sign in when 1Password relocks. On iPhone/iPad (and maybe Mac?), you can use FaceID for the initial sign in. Is that difference intentional (it seems like it from the release notes), and if so what is the reasoning? Thanks! 1Password Version: 8.2.2 Extension Version: Not Provided OS Version: Windows 11

For some reason AgileBits team doesn't trust TPM chip and Windows, but they trust Apple products.

Hi @millercentral, thanks for this question! The difference is indeed intentional, and your comparison between Apple and Windows products is an informative one. Here's a little more about that, our current thinking, and what might come next. On Apple products, there is a physical system built into the device called the Secure Enclave - you can read more about it at the link, but to borrow from Apple's official documentation: The Secure Enclave is a dedicated secure subsystem [...] The Secure Enclave is isolated from the main processor to provide an extra layer of security and is designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised. In other words, Apple has provided a standard method for storing sensitive data between reboots. This includes your FaceID / TouchID data. 👍 On the Windows side, there is a rough equivalent to this, called the TPM. While relatively common in business settings, it still isn't used across large swaths of the PC ecosystem. What this means in practice is that 1Password doesn't uniformly have a secure place to store a cryptographic secret on-disk (besides, uh, in our own app, which doesn't help when that's the thing you're trying to unlock. 🤔). So you end up with a situation where the choice is either: Leave a cryptographic secret (which is used to unlock Hello) on a disk that is likely not encrypted (bad) Require the account password the first time a user logs in However, TPM adoption is likely to increase with Windows 11, and we're very interested in how we might bring Secure Enclave-like functionality to the Windows platform. I don't have anything specific to share on that at the moment, but it's definitely on our radar! I hope that makes sense. Let me know if this answers your question, and thanks for taking the time to bring it up 😀

It does, thank you for the response. I'm running Win11 (with TPM active), so if there is a Win11-specific opportunity here I'm all for it and sign me up to test. :)

Thank you for this @millercentral :+1: And on behalf of Peter, you are very welcome :)

1P_PeterG Is it not possible to check if TPM is active and store the secret there? That way, those of us who have TPM can use Hello even after initial sign in?

1Password8/Windows and Windows Hello on first signin?

47 Replies

MikeT
1Password Team
4 years ago
That's great to hear, thanks for letting us know.

We've just shipped 1Password 8.6.1 stable update to everyone with more Windows Hello improvements including extending TPM support to AMD's fTPM and vTPM in certain virtualization solutions.
Former Member
4 years ago
As I posted on the Reddit thread as well, thanks to baldersz, this fixed the greyed out checkbox and got Windows Hello working with 1Password again in general.

Thanks 1Password and baldersz!
1P_PeterG
Community Manager
4 years ago
Thanks for the updates, folks. We appreciate you keeping us apprised of how this is working for you!
Former Member
4 years ago
Former Member glad it worked for you too, disabling / enabling Windows Hello should have the same effect as MikeT mentioned. Although in your case it was greyed out, so you had no choice but to force delete!
pbryanw
New Contributor
4 years ago
This was also an issue for me - I couldn't remove my PIN code in Windows settings.

I've since discovered that you have to disable the "For improved security, only allow Windows Hello sign-in..." checkmark in Accounts -> Sign-in options, before you can remove your PIN. More info here:
https://www.thewindowsclub.com/windows-hello-pin-remove-button-greyed-out
Former Member
4 years ago
Cool, with this information I was able to determine with certutil my Windows Hello PIN was software-based, not TPM-based. It seems I created the pin a long time ago where the TPM wasn't enabled in BIOS.

I removed the PIN and re-ecreated it, now certutil shows the PIN is hardware-based and I was able to enable TPM support in 1Password.
If 1Password is started, I have to enter now only the PIN, not the full master password.

Thanks!

ps. by the way, just changing the PIN didn't move it from software-based to hardware-based according to certutil. Since the option to remove the pin was greyed out in Windows settings, I used certutil -DeleteHelloContainer to forcibly remove the pin. I logged off, then back on and then I enrolled a new PIN. Now it was finally hardware-based.
MikeT
1Password Team
4 years ago

I would suggest that anyone else who has this issue, waits for official documentation from 1Password, before proceeding with troubleshooting.

Correct, there is no need to do the command line as the same can be accomplished by turning off the biometric or PIN feature in the Windows Setting's Accounts > Sign-in options and re-enrolling the biometric or PIN; it'll go into the TPM's hardware store. This is assuming Windows has confirmed there is TPM enabled (click Start, search for Security Processor).

We will be adding some docs on this once this is working for folks in the way we expect it to work.
pbryanw
New Contributor
4 years ago
Hi, In my case, I upgraded to Windows 11, and enabled TPM, after I'd setup a PIN for Windows Hello in my previous Windows 10 installation. So, I was also experiencing the private key issue that @baldersz first discovered.

Thanks to them, I was able to run:
certutil -DeleteHelloContainer
logoff

In Windows Terminal. This deleted my current Windows Hello configuration, and meant I had to re-enter my Window's password on next login. From here, I was able to setup my PIN again, and this time my 1Password-Enclave-Key (stored in the TPM), returned a code of NgcKeyImplType: 1 (0x1). I could then enable the TPM security option in 1Password.

I would suggest though, that anyone else who has this issue waits for official documentation from 1Password, before proceeding with troubleshooting.
MikeT
1Password Team
4 years ago
Hi folks,

As we continue to work with you awesome folks here and collecting more data, we were able to find a solution that works better with more TPM chipsets.

The next nightly (80700018, now available) and beta updates is going to have a major improvement with Windows Hello support where we can now work with AMD fTPM as well as vTPM in VMware Workstation on Windows and Parallels on Mac solutions (other virtual machine software may also work but we've tested these two).

@baldersz, that's a great find and thanks for sharing it with us, we will probably include it as a troubleshooting method. We are trying to investigate everything we can find (we don't have a lot of docs and APIs to work with here) and that's a part of the conversation we're trying to have with Microsoft to find a solution where we can get the best of everything. We're getting there for sure, the current nightly builds have a lot of Windows Hello improvements already.
Former Member
4 years ago
krtickak you're exactly right. Windows Hello can operate without a TPM, and will store it's private key in Software Key Storage within Windows if it cannot detect a TPM. Enabling fTPM or installing a hardware TPM (like I did too) doesn't automatically transfer this private key to the TPM. Glad we got it sorted!